Legal claims defining the scope of protection, as filed with the USPTO.
1. A network security system comprising: a plurality of subsystems, each subsystem comprising: a plurality of distributed software agents, each agent configured: to collect a security event from a monitor device; and to transmit the security event; a local manager module coupled to the plurality of distributed software agents, configured: to receive, from each agent, the security event; to generate one or more correlated events by correlating the received security events, wherein a correlated event comprises a conclusion drawn from the received security events; and to transmit the one or more correlated events; and a local manager agent coupled to the local manager module, configured: to receive, from the local manager module, the one or more correlated events; to process the one or more correlated events; and to transmit the processed correlated events; and a global manager module coupled to the plurality of subsystems, each subsystem comprising a local network security system, the global manager module configured: to receive, from each subsystem, the processed correlated events; and to correlate the received processed correlated events.
2. The network security system of claim 1 , wherein each subsystem further comprises a filter coupled to the local manager module, configured: to receive, from the local manager module, the one or more correlated events; to select correlated events; and to transmit the selected correlated events.
3. The network security system of claim 2 , wherein the filter can be automatically programmed by the global manager module.
4. The network security system of claim 1 , further comprising a back-channel between the global manager module and the local manager module configured to request a security event related to a specific correlated event received by the global manager module.
5. The network security system of claim 4 , wherein the back-channel is further configured to transmit the requested security event to the global manager module.
6. The network security system of claim 1 , wherein the local network security system monitors a network associated with a site.
7. A method for monitoring a plurality of local networks, the method comprising: for each local network: collecting security events; generating local correlated events by correlating the collected security events at a local network security system monitoring the local network, wherein a local correlated event comprises a conclusion drawn from the collected security events; and processing the local correlated events; collecting, from each local network, the processed local correlated events; and generating global correlated events by correlating the collected processed local correlated events.
8. The method of claim 7 , further comprising filtering the processed local correlated events generated by each local network to determine which processed local correlated events to collect.
9. The method of claim 7 , wherein the security events are collected by a plurality of distributed software agents.
10. The method of claim 7 , wherein the processed local correlated events are collected by a distributed software agent associated with the local network security system.
11. The method of claim 7 , wherein the global correlated events are generated by a global manager module.
12. A machine-readable medium having stored thereon data representing instructions that, when executed by a processor, causes the processor to perform operations comprising: for each local network of a plurality of local networks: collecting security events; generating local correlated events by correlating the collected security events at a local network security system monitoring the local network, wherein a local correlated event comprises a conclusion drawn from the collected security events; and processing the local correlated events; collecting, from each local network, the processed local correlated events; and generating global correlated events by correlating the collected processed local correlated events.
13. The machine-readable medium of claim 12 , wherein the instructions further cause the processor to perform operations comprising filtering the processed local correlated events generated by each local network to determine which processed local correlated events to collect.
14. The machine-readable medium of claim 12 , wherein the security events are collected by a plurality of distributed software agents.
15. The machine-readable medium of claim 12 , wherein the processed local correlated events are collected by a distributed software agent associated with the local network security system.
16. The machine-readable medium of claim 12 , wherein the global correlated events are generated by a global manager module.
Unknown
September 6, 2011
Browse 5M+ US patents with plain-English claim translations and AI-generated analysis.